Re: kern/46734: pool not drained

[Emmanuel Dreyfus <manu%netbsd.org@localhost>]

The following reply was made to PR kern/46734; it has been noted by GNATS.

From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/46734: pool not drained
Date: Fri, 17 Aug 2012 15:28:45 +0000

 Lots of talks and tests occured behind the scene with Martin. here is a 
 summary.
 
 The kernel crashed because of an assertion when freeing a pool while some
 objects were still allocated. This happenned because we had pending parks
 the were not freed at the time we freed the pool. And we proceeded with
 unmounting while having pending parks because the unmount system call
 was interrupted by a SIGCHLD thatcaused another unmount by closing 
 /dev/puffs.
 
 This means we have a race condition in the kernel, but it seems it has
 always been there. reproducing it was hard. However, we spoted the change 
 that made the race condition likely to occur:
 
 libpuffs maintain a lookup count in struct puffs_node in order to detect
 trace conditions between lookup and reclaim. Doing that, it assumes the 
 cookies always map to struct puffs_node. This was not the case for 
 libp2k, which mapped cookies to struct p2k_node. libpuffs therefore
 corrupted struct libp2k_node. 
 
 That bug has been ifxed in libp2k, and the fix has been pulled up to 
 netbsd-6. The kernel race condition on unmount remains but we were
 not able to reproduce it anymore.
 
 
 -- 
 Emmanuel Dreyfus
 manu%netbsd.org@localhost